setuid

Jay jay at kinetic.org
Mon Dec 14 19:50:57 PST 1998 

Yup -- I have that part down. However, the scripts are still running as
the Apache user (nobody). This would make me assume that the suidperl
executable is not being called for some reason. The Apache error logs say
that something needs to be disabled in the kernel, however there is no
indication as to where to look or how to disable it.

~Jay

On Mon, 14 Dec 1998, Ivan Kohler wrote:

> >From the `perlsec' manpage:
> 
>        Perl can emulate the setuid and setgid mechanism
>        when it notices the otherwise useless setuid/gid bits on
>        Perl scripts.  It does this via a special executable
>        called suidperl that is automatically invoked for you if
>        it's needed.
> 
> -- 
> Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
> Open-source billing and administration for ISPs - http://www.sisd.com/freeside
> 20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
> 
> On Sun, Dec 13, 1998 at 08:12:16PM -0700, Jay wrote:
> > 
> > Well, some progress. I found a binary called 'suidperl' -- however, there
> > is no man page for it, and I cannot find any information about how to use
> > it. Any pointers?
> > 
> > ~Jay
> > 
> > On Sun, 13 Dec 1998, Ivan Kohler wrote:
> > 
> > > > My distro did include Perl5.
> > > 
> > > It probably includes Perl suid emulation in a separate package than the
> > > normal Perl package.
> > > 
> > > > I checked out the perlsec manpage, but that
> > > > recommended that I should rename all of the CGI scripts and then create
> > > > small C wrappers (with the original script name) to be setuid to call the
> > > > newly named CGI. While I am sure that is a possible (but pain in the neck)
> > > > solution, there has to be an easier/better way. :)
> > > 
> > > The better way is Perl's setuid emulation, also mentioned in the perlsec
> > > manpage.  If your distribution does not include this option (I'd be _very_
> > > surprised if Slackware didn't), then you will need to recompile Perl.
> > > 
> > > > I did try the perlsec
> > > > method on the cust_main.cgi script, however when I executed the new C code
> > > > that calls the original CGI script, it complains that setuid is still
> > > > allowed in my kernel. Unfortunately, I am not enough of a coder to get
> > > > into the kernel source and try to track that down.
> > > >
> > > > This brings me to a couple of questions: #1) how to I disable the setuid
> > > > stuff in the kernel so that the perlsec method will work?
> > > 
> > > Linux 2.0.x ignores the setuid bit on scripts, which is fine.  Perl
> > > provides setuid emulation.  You don't need to change anything in your
> > > kernel.
> > > 
> > > > #2) will I need
> > > > to create a C wrapper for _every_ setuid CGI script in the FreeSide
> > > > package?
> > > 
> > > That's one possible solution, yes.
> > > 
> > > > Finally, #3) where can I get information about that perl-suid
> > > > package?
> > > 
> > > That's the name for a Debian package.  Check your distributions's
> > > documentation for the equivalent.
> > > 
> > > > > Are you sure?  *scripts*, not ELF executables?  What language?
> > > > > 
> > > > 
> > > > Hmmm...good point. I just tested it with a quick bash shell script. It did
> > > > not work. The script was setuid to user 'jay' but when I executed it (as
> > > > user 'root') it ran as 'root'. Thus, it would seem that all of my other
> > > > setuid stuff are ELF binaries. 
> > > > 
> > > > So, now that I know my kernel will not support suid scripts, and I do not
> > > > have the perl-suid pagkage, and the perlsec method (making C wrappers for
> > > > every suid CGI) doesn't work because of something still enabled in my
> > > > kernel -- any ideas? :) Thanks for the help. 
> > > 
> > > -- 
> > > Ivan Kohler <ivan at sisd.com> - finger for PGP key - <moc.dsis at navi> relhoK navI
> > > Open-source billing and administration for ISPs - http://www.sisd.com/freeside
> > > 20 4,16 * * * saytime # please don't be surprised if you find me dreaming too
> > > 
> > 
> > - J a y   J a c o b s o n
> > - - - - - - - - - - - - - - - - - -
> > - jay at kinetic.org   www.kinetic.org
> > 
> > Quantum Mechanics: The dreams stuff is made of.
> > 
> 

- J a y   J a c o b s o n
- - - - - - - - - - - - - - - - - -
- jay at kinetic.org   www.kinetic.org

Quantum Mechanics: The dreams stuff is made of.

More information about the freeside-users mailing list